CN112383557B

CN112383557B - Safety access gateway and industrial equipment communication management method

Info

Publication number: CN112383557B
Application number: CN202011288558.6A
Authority: CN
Inventors: 孙亚东; 王志海; 喻波; 何晋昊; 魏力
Original assignee: Beijing Wondersoft Technology Co Ltd
Current assignee: Beijing Wondersoft Technology Co Ltd
Priority date: 2020-11-17
Filing date: 2020-11-17
Publication date: 2023-06-20
Anticipated expiration: 2040-11-17
Also published as: CN112383557A

Abstract

The embodiment of the invention provides a secure access gateway and an industrial equipment communication management method, and relates to the technical field of communication. The secure access gateway comprises a certificate management module, when receiving a certificate application request of external equipment, the secure access gateway performs identity verification on the external equipment, and when the verification passes, the secure access gateway applies for a digital certificate for the external equipment; the identity authentication module is used for verifying the carried digital certificate when receiving an access request of external equipment; the bill management module generates an access bill and returns the access bill to the external equipment when receiving the message passing the digital certificate verification; and the access control module is used for verifying the carried access ticket and the API when receiving the access request of the external equipment, sending an API execution request to the industrial equipment when the verification passes, and returning an execution result. The invention uses bill access, which improves the identity authentication and access control efficiency obviously, and checks the identity and access API of the external equipment strictly, thus guaranteeing the authentication safety.

Description

Safety access gateway and industrial equipment communication management method

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a secure access gateway and a method for managing communications of industrial devices.

Background

The industrial Internet is used as a product of deep fusion of a new generation of information technology and manufacturing industry, and a novel production, manufacturing and service system which is formed by comprehensively interconnecting people, machines and objects and is comprehensively connected with a full-factor, a full-industry chain and a full-value chain is constructed, so that the industrial Internet is a realization way of digital transformation and is a key force for realizing new and old kinetic energy conversion. Industrial internet has grown in importance to a new level as one of seven areas of "new infrastructure".

The industrial internet is the load-bearing and external appearance of industrial digital transformation. The core principle of the industrial Internet is as follows: the data driven physical system cooperates with the digital space interconnect. The data is the soul of the industrial Internet, and shows the characteristics of north-south flow from the equipment layer, the edge layer to the enterprise layer and the industry layer from bottom to top and east-west flow inside each layer. The network interconnection and system intercommunication data flow acceleration and simultaneously generate a plurality of data security risks.

Security risk for industrial internet platforms. The typical industrial internet platform at present sequentially comprises a device layer, an edge layer, an enterprise layer and an industry layer from bottom to top, along with the increasingly frequent network access of devices and industry cooperation, the security threat is gradually increased, and the security threat of the device layer is mainly represented by: the user illegally logs in the field device, the external device illegally accesses the industrial control network, the command is tampered, replayed and the like, and the security threats are further spread to the IT (Information Technology ) network by taking the OT (Operational Technology, operation technology) network as a springboard.

In the current industrial internet scene, when external equipment communicates with intranet industrial equipment, digital certificate authentication and user name password authentication modes are mostly adopted to authenticate the external network equipment. However, in the prior art, due to the problem of a digital certificate authentication mechanism, the authentication efficiency is very low, the time delay is long, and the business operation is influenced. The authentication mode of the user name password is easy to be faked, the potential safety hazard is extremely high, and an attacker can acquire the user name password by adopting various modes such as observation, interception, heuristics and the like, thereby faking the user request data.

Disclosure of Invention

The invention provides a secure access gateway and an industrial equipment communication management method, which solve the problems of low efficiency and poor security in the communication authentication mode of external equipment and intranet industrial equipment in the prior art.

In a first aspect of the present invention, there is provided a secure access gateway comprising:

the system comprises a certificate management module, a certificate management module and a control module, wherein the certificate management module is used for carrying out identity verification on external equipment when receiving a certificate application request uploaded by the external equipment of the industrial Internet, applying for a digital certificate for the external equipment when the identity verification of the external equipment passes, and returning the obtained digital certificate to the external equipment;

The identity authentication module is used for verifying the digital certificate carried in the access request when receiving the access request uploaded by the external equipment, and sending the verified message to the bill management module when the digital certificate carried in the access request is verified;

the bill management module is used for generating an access bill for the external equipment when receiving the verification passing message sent by the identity authentication module, and returning the access bill to the external equipment;

and the access control module is used for verifying the access ticket and the API information carried in the access request when receiving the access request of the application program interface API of the industrial Internet internal equipment, which is uploaded by the external equipment, sending an API execution request to the accessed industrial Internet internal equipment when the access ticket and the API information carried in the access request pass the verification, and returning the API execution result to the external equipment.

Preferably, the certificate application request carries device information of the external device and API information to be accessed;

the certificate management module is specifically configured to: when a certificate application request uploaded by an industrial Internet external device is received, verifying the device information and the API information carried in the certificate application request according to the real device information and the accessible legal API information of the external device which are verified in advance, and determining that the identity verification of the external device passes when the device information and the API information carried in the certificate application request pass, or determining that the identity verification of the external device does not pass.

Preferably, the secure access gateway further comprises:

the external equipment information management module is used for providing an equipment information input interface and an API information input interface, and storing the input equipment information of the external equipment and the accessible API information after verification.

Preferably, the certificate management module is specifically configured to: when the identity verification of the external equipment passes, a request for applying a digital certificate for the external equipment is sent to a certificate issuing mechanism, so that the certificate issuing mechanism adopts a first preset national commercial cryptographic algorithm to generate the digital certificate for the external equipment, and the digital certificate returned by the certificate issuing mechanism is sent to the external equipment.

Preferably, the first preset national commercial cryptographic algorithm is an elliptic curve public key cryptographic algorithm SM2 or a cryptographic hash algorithm SM3.

Preferably, the bill management module is further configured to: after an access bill is generated for the external equipment, setting the validity period of the access bill;

the access control module is specifically configured to: and when an access request of the API accessing the industrial Internet internal equipment uploaded by the external equipment is received, respectively verifying the authenticity and the validity period of the access ticket carried in the access request.

Preferably, the bill management module is specifically configured to: and generating an access ticket for the external equipment by adopting a second preset national commercial cryptographic algorithm.

Preferably, the second preset national commercial cryptographic algorithm is a block cryptographic algorithm SM4.

Preferably, the secure access gateway further comprises an API proxy module;

the access control module is specifically configured to: when the access bill and the API information carried in the communication request pass verification, an API forwarding request is sent to the API proxy module, so that the API proxy module sends an API executing request to the accessed industrial Internet internal equipment, and an API executing result is returned to the external equipment.

In a second aspect of the present invention, there is also provided an industrial equipment communication management method, including:

when a certificate application request uploaded by external equipment of an industrial Internet is received, carrying out identity verification on the external equipment, applying a digital certificate for the external equipment when the identity verification of the external equipment passes, and returning the obtained digital certificate to the external equipment;

when an access request uploaded by external equipment is received, verifying a digital certificate carried in the access request;

When the digital certificate carried in the access request passes the verification, an access bill is generated for the external equipment, and the access bill is returned to the external equipment;

when an access request of an application program interface API (application program interface) of an industrial Internet internal device uploaded by an external device is received, verifying an access ticket and API information carried in the access request; and when the access bill and the API information carried in the access request pass verification, sending an API execution request to the accessed industrial Internet internal equipment, and returning an API execution result to the external equipment.

In a third aspect of the present invention, there is also provided an electronic device, including: a processor, a communication interface, a memory, and a communication bus; the processor, the communication interface and the memory complete communication with each other through a communication bus;

a memory for storing a computer program;

a processor for implementing the steps in the industrial equipment communication management method as described in any one of the above when executing the program stored on the memory.

In a fourth aspect of the present invention, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the industrial device communication management method as described in any one of the above.

Aiming at the prior art, the invention has the following advantages:

in the embodiment of the invention, the security access gateway comprises a certificate management module, an identity authentication module, a bill management module and an access control module; when the certificate management module receives a certificate application request uploaded by the industrial Internet external equipment, carrying out identity verification on the external equipment, applying a digital certificate for the external equipment when the identity verification of the external equipment passes, and returning the obtained digital certificate to the external equipment; when the identity authentication module receives an access request uploaded by external equipment, verifying a digital certificate carried in the access request, and when the digital certificate carried in the access request passes the verification, sending a message passing the verification to the bill management module; when the bill management module receives the verification passing message sent by the identity authentication module, an access bill is generated for the external equipment, and the access bill is returned to the external equipment; when the access control module receives an access request which is uploaded by the external equipment and accesses the API of the industrial Internet internal equipment, the access control module verifies the access ticket and the API information carried in the access request, and when the access ticket and the API information carried in the access request pass the verification, the access control module sends an API execution request to the accessed industrial Internet internal equipment and returns an API execution result to the external equipment. The security access gateway solves the problem of credibility of the identity of external access equipment from the equipment layer access angle, when the external equipment is accessed for the first time, the security access gateway checks the identity validity of the external equipment, issues an identity digital certificate for the external equipment and generates a bill, after the external equipment obtains the bill, the external equipment uses the bill to access, thereby obviously improving the identity authentication and access control efficiency, solving the problem of low authentication efficiency of the certificate, and carrying out strict check on the identity and access API of the accessed external equipment, so that the data transmission efficiency is not influenced under the condition of guaranteeing the authentication safety.

The foregoing description is only an overview of the present invention, and is intended to be implemented in accordance with the teachings of the present invention in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present invention more readily apparent.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments will be briefly described below.

Fig. 1 is a schematic block diagram of a secure access gateway provided in an embodiment of the present invention;

fig. 2 is a schematic diagram of a relationship between a security access gateway and other external systems according to an embodiment of the present invention;

fig. 3 is a schematic flow chart of a secure access gateway according to an embodiment of the present invention for obtaining an identity digital certificate for an external device;

fig. 4 is a schematic flow chart of performing access identity authentication for external devices by using the security access gateway according to the embodiment of the present invention;

FIG. 5 is a schematic flow chart of communication between an external device ticket and an industrial Internet internal device according to an embodiment of the present invention;

FIG. 6 is a schematic block diagram of a security access gateway for a cigarette factory provided by an embodiment of the invention;

Fig. 7 is a schematic technical architecture of a security access gateway for a cigarette factory according to an embodiment of the present invention;

fig. 8 is a schematic diagram of a deployment architecture of a security access gateway of a cigarette factory according to an embodiment of the present invention;

fig. 9 is a schematic block diagram of an intelligent network-connected automobile security access gateway according to an embodiment of the present invention;

fig. 10 is a schematic technical architecture diagram of an intelligent network-connected automobile security access gateway according to an embodiment of the present invention;

fig. 11 is a schematic diagram of an intelligent network-connected automobile security access gateway deployment architecture according to an embodiment of the present invention;

FIG. 12 is a schematic flow chart of an industrial equipment communication management method according to an embodiment of the present invention;

fig. 13 is a schematic block diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

In the industrial field, an IT architecture of a production enterprise generally comprises three layers of an equipment layer, an edge layer and an enterprise layer, so that stable operation of equipment is ensured, and continuous operation of the enterprise is supported. However, with the rapid development of the industrial internet industry, mass production industrial equipment of an enterprise equipment layer needs to be in butt joint with external software and hardware equipment of an enterprise, and in the butt joint process, a plurality of information security problems caused by uncontrollable identities of the external equipment are generated, so that normal operation of the enterprise is seriously affected.

The embodiment of the invention provides a secure access gateway and an industrial equipment communication management method. The security access gateway solves the problem of the credibility of the identity of external access equipment from the access point of the equipment layer, adopts the bill technology, and ensures that the data transmission efficiency is not affected under the condition of security authentication.

Fig. 1 is a schematic block diagram of a secure access gateway provided in an embodiment of the present invention, and referring to fig. 1, the secure access gateway 100 includes:

the certificate management module 101 is configured to, when receiving a certificate application request uploaded by an industrial internet external device, perform identity verification on the external device, apply for a digital certificate for the external device when the external device passes the identity verification, and return the obtained digital certificate to the external device.

Here, when the external device applies for the certificate to the secure access gateway, after the certificate management module 101 verifies the identity of the external device, the external device applies for the digital certificate, and issues the certificate to the external device after obtaining the digital certificate, so that the external device is first subjected to identity authentication before applying for the digital certificate, and is allowed to apply for the digital certificate only when the identity authentication passes, thereby improving the security guarantee.

The certificate management module 101 may perform authentication on the external device, for example, by performing authentication on device information of the external device, or performing authentication on device information of the external device and API (Application Programming Interface, application program interface) information to be accessed, and the like.

The certificate management module 101 may apply a digital certificate to the external device from the certificate authority CA when the external device passes the authentication, but is not limited thereto.

The external device mentioned in the embodiment of the invention refers to software and hardware devices outside the industrial internet of the manufacturing enterprise, and can be any type of external device.

The identity authentication module 102 is configured to, when receiving an access request uploaded by an external device, verify a digital certificate carried in the access request, and when the digital certificate carried in the access request passes the verification, send a message passing the verification to the ticket management module.

When the external device applies for accessing the security access gateway, the identity authentication module 102 verifies the validity and validity of the identity digital certificate, and when the verification is passed, a message is sent to the bill management module for further processing, so that the identity authentication is performed again before the external device is communicated with the internal device of the production enterprise, and the external device is allowed to access and communicate with the internal device only when the identity authentication is passed, thereby further ensuring the security.

The identity authentication module 102 may verify the digital certificate by itself or send the digital certificate to the certificate authority CA for verification.

And the ticket management module 103 is used for generating an access ticket for the external equipment when receiving the verification passing message sent by the identity authentication module, and returning the access ticket to the external equipment.

Here, after the identity digital certificate of the external device is verified by the identity authentication module 102, the ticket management module 103 generates a security access ticket for the external device, so that the access ticket is used as identity authentication data when the external device communicates with the internal device, and the identity authentication is performed by using the access ticket, so that the identity authentication and access control efficiency can be remarkably improved.

And the access control module 104 is configured to, when receiving an access request for accessing an application program interface API of the industrial internet internal device uploaded by the external device, verify an access ticket and API information carried in the access request, and when both the access ticket and the API information carried in the access request pass the verification, send an API execution request to the accessed industrial internet internal device, and return an API execution result to the external device.

Here, when the external device carries an access ticket request and communicates with the internal device of the industrial internet of the manufacturing enterprise, the access control module verifies the validity of the access ticket and the API, so that the identity and the access API of the external device are strictly checked, the communication safety is ensured, and the authentication is performed through the access ticket, so that the identity authentication and the access control efficiency are remarkably improved.

Preferably, the secure access gateway further comprises an API proxy module 105;

the access control module 104 is specifically configured to: when the access ticket and the API information carried in the communication request pass verification, an API forwarding request is sent to the API proxy module 105, so that the API proxy module 105 sends an API execution request to the accessed industrial Internet internal equipment, and an API execution result is returned to the external equipment.

At this time, after the validity of the access ticket and the API is verified by the access control module 104, the API proxy module 105 forwards the API execution request to the internal device of the manufacturing enterprise instead, thereby playing a role in isolation and security control.

The security access gateway 100 of the embodiment of the invention solves the problem of credibility of the identity of external access equipment from the equipment layer access angle, when the external equipment is accessed for the first time, the security access gateway 100 checks the identity legitimacy of the external equipment, issues an identity digital certificate for the external equipment and generates a bill, after the external equipment obtains the bill, the external equipment uses the bill to access, thereby remarkably improving the identity authentication and access control efficiency, solving the problem of low authentication efficiency of the certificate, and carrying out strict check on the identity and access API of the accessed external equipment, thereby ensuring that the data transmission efficiency is not affected under the condition of guaranteeing the authentication safety.

the certificate management module 101 is specifically configured to: when a certificate application request uploaded by an industrial Internet external device is received, verifying the device information and the API information carried in the certificate application request according to the real device information and the accessible legal API information of the external device which are verified in advance, and determining that the identity verification of the external device passes when the device information and the API information carried in the certificate application request pass, or determining that the identity verification of the external device does not pass.

At this time, when the external device applies for the certificate, the certificate management module 101 performs validity and security verification on the device information and the API information reported by the external device according to the real device information and the accessible legal API information of the external device, and only when the verification passes, the external device is allowed to apply for the digital certificate, so that the identity authentication and access control of the external access device are realized by strictly checking the identity of the external access device and the accessed API, and the security access guarantee capability of the industrial scene can be greatly improved.

The certificate management module 101 may specifically verify whether the device information and the API information carried in the certificate application request are consistent with the real device information and the accessible legal API information that are verified in advance, and if so, the verification is passed.

The device information of the external device may include, for example, a device name, an IP address, a MAC address, etc., but is not limited thereto.

The secure access gateway 100 may also implement rights control for external devices, among other things. The authority control means that the address, the API and the like of the external equipment for accessing the industrial Internet platform are controlled, namely, the address and the API of the internal equipment which can be accessed by different external equipment are limited, and the authority control can be flexibly set according to the requirements, and is not limited herein.

Preferably, the secure access gateway 100 further comprises:

the external device information management module 106 is configured to provide a device information input interface and an API information input interface, and store the input device information and accessible API information of the external device after verification.

The API of the industrial internet internal device may include, for example (for illustration only and not limitation), an API that controls operations of starting, stopping, turning, etc. of the device, and may be limited to access by different external devices, and the external devices may fill in device information and accessible API information at the same time when the secure access gateway inputs information.

At this time, the external device firstly fills in the device information and the API information in the secure access gateway 100, and after verifying the validity and security of the device information and the API information, the secure access gateway 100 stores the device information and the API information filled in the external device, so as to verify the identity of the external device later, and meanwhile, the secure access gateway 100 fills in the verification result in the system, and the external device adopts an interface to obtain the verification result.

The secure access gateway 100 may manually verify the device information and the API information that are first filled in by the external device, but is not limited thereto.

Preferably, the certificate management module 101 is specifically configured to: when the identity verification of the external equipment passes, a request for applying a digital certificate for the external equipment is sent to a certificate issuing mechanism, so that the certificate issuing mechanism adopts a first preset national commercial cryptographic algorithm to generate the digital certificate for the external equipment, and the digital certificate returned by the certificate issuing mechanism is sent to the external equipment.

The first preset national commercial cryptographic algorithm may be an elliptic curve public key cryptographic algorithm SM2 or a cryptographic hash algorithm SM3, but is not limited thereto.

Here, after obtaining a request for applying a certificate of an external device, the secure access gateway 100 first verifies the identity information and the API information, and after the verification, applies for an identity digital certificate to a certificate authority CA, and the CA generates a digital certificate by using commercial cryptographic algorithms such as SM2 and SM3, and initiates the certificate to the secure access gateway, and the secure access gateway issues the certificate to the external device. In the prior art, digital certificate authentication mainly uses a foreign RSA algorithm, and has great hidden danger in an autonomous controllable mode.

Fig. 2 is a schematic diagram of a relationship between a security access gateway and other external systems according to an embodiment of the present invention. The security access gateway of the embodiment of the invention respectively interacts with external equipment, industrial Internet internal equipment of a manufacturing enterprise, CA and other external systems. The security access gateway is based on CA, and realizes identity authentication and data encryption and decryption based on commercial cryptographic algorithm. The safety access gateway isolates the external equipment from the internal equipment of the production enterprise, and provides uniform identity authentication for the external equipment to access the internal equipment of the production enterprise.

Fig. 3 is a schematic flow chart of a secure access gateway according to an embodiment of the present invention for obtaining an identity digital certificate for an external device. And deploying a security access gateway at an equipment layer of the IT architecture of the production enterprise, wherein the security access gateway is an agent for interaction between the equipment layer of the production enterprise and external equipment, and after all accesses are authenticated by the security access gateway, the security access gateway can perform subsequent access operation. The external equipment identity digital certificate acquisition steps are as follows: s301, the external device fills in device information and API information in a security access gateway; s302, the security access gateway adopts a manual mode to verify the validity and the security of the identity information and the API information, and fills in a verification result in the system; s303, the external equipment adopts an interface to acquire a verification result; s304, the external equipment packages the identity information and the API and applies for the digital certificate; s305, after obtaining a certificate application request, the security access gateway verifies whether the packaging information is consistent with the verified real identity information and legal API information, and after verification, the security access gateway applies for an identity digital certificate to the CA; s306, the CA generates a digital certificate by adopting commercial cryptographic algorithms such as SM2, SM3 and the like, and sends the digital certificate to the security access gateway, and the security access gateway issues the digital certificate to the external device. After the above 6 steps, the external device obtains an identity digital certificate for accessing the device layer of the manufacturing enterprise.

Preferably, the ticket management module 103 is further configured to: after an access bill is generated for the external equipment, setting the validity period of the access bill;

the access control module 104 is specifically configured to: and when an access request of the API accessing the industrial Internet internal equipment uploaded by the external equipment is received, respectively verifying the authenticity and the validity period of the access ticket carried in the access request.

At this time, the ticket management module 103 generates an access ticket for the external device, and can set the validity period of the access ticket, and in the validity period, the external device can keep access to the API of the industrial internet internal device, thereby improving the identity authentication and access control efficiency.

The validity period of the ticket accessed by different external devices can be flexibly set according to actual requirements by the system, and the method is not limited. For example, for an external device with more frequent access, a longer validity period can be set for an access ticket used for communication, for example, one access ticket is set to be capable of carrying out identity authentication of 10 http requests, and for an external device with less access, a shorter validity period can be set for an access ticket used for communication, for example, one access ticket is set to be capable of carrying out identity authentication of 1 http request.

Preferably, the ticket management module 103 is specifically configured to: and generating an access ticket for the external equipment by adopting a second preset national commercial cryptographic algorithm.

The second preset national commercial cryptographic algorithm may be a block cryptographic algorithm SM4, but is not limited thereto.

At the moment, the access bill is generated by using the national commercial cryptographic algorithm, so that the automatic control is realized, and the potential safety hazard is avoided. The access bill is a character string generated by adopting a national commercial cryptographic algorithm, and the character string has irreversible operation and can be rapidly decrypted. After the external equipment obtains the bill, the bill access is used, so that the identity authentication and access control efficiency is greatly improved, and the problem of low certificate authentication efficiency is solved.

Fig. 4 is a schematic flow chart of access identity authentication for external devices by the security access gateway according to the embodiment of the present invention. And the external equipment performs identity authentication before communicating with the internal equipment of the production enterprise. The authentication process is described as follows: s401, external equipment submits a digital certificate to a security access gateway to request identity verification; s402, the security access gateway verifies the validity and validity of the certificate; s403, after the verification is passed, an access bill is generated for the external equipment; s404, the access ticket is used as a return value of identity verification and is sent to external equipment.

Fig. 5 is a schematic flow chart of the communication between the external device ticket and the industrial internet internal device according to the embodiment of the invention. After the identity authentication of the external equipment is passed, a communication access bill is obtained, the access bill is communicated with the industrial internal equipment, and the communication process is described as follows: s501, an external device holds an access ticket to initiate an API access request to a security access gateway; s502, the security access gateway verifies the access ticket and the API, and after the verification is passed, the request is forwarded to the industrial internal equipment; s503, executing API operation by the industrial internal equipment; s504, filling the execution result into a return value according to the interface requirement; s505, the security access gateway returns the return value to the external device, and then the communication is ended.

The security access gateway of the embodiment of the invention adopts a mode of combining a national password certificate and a bill based on a commercial password algorithm, and performs strict check and fine granularity comparison on the identity of access equipment and an access API, thereby realizing the identity authentication and access control of the industrial access equipment and greatly improving the security access guarantee capability of industrial scenes. And the external equipment uses the access ticket generated by the security access gateway to access, so that the identity authentication and access control efficiency can be greatly improved, and the problem of low certificate authentication efficiency is solved.

As shown in fig. 1, the secure access gateway according to an embodiment of the present invention may further include a system management module 107 for providing basic management functions such as administrator user management, encryption cards, and the like. The system management module 107 may also provide service management, policy management, and service monitoring. The service management refers to dividing the communication types between the equipment side and the security access gateway into a plurality of service types such as identity registration, identity authentication, data transmission and the like. Policy management refers to defining service priority, controlling service start and stop, etc. according to service type, number of services. Service monitoring refers to monitoring service execution conditions, optimizing a data communication process according to a management policy, and ensuring that various communication types are completed efficiently.

The secure access gateway according to the embodiment of the present invention may further include a data encryption and decryption module (not shown in the figure) for performing encryption and decryption operations on data sent from the device side to the industrial internet. Specifically, when the secure access gateway is deployed in a factory side scene, after the secure access gateway performs data encryption, the ciphertext is sent to the industrial internet platform. And when the security access gateway is deployed in the scene of the industrial Internet platform side, the security access gateway executes decryption operation after receiving the ciphertext uploaded by the factory side.

The following illustrates the secure access gateway according to the embodiment of the present invention in conjunction with a specific application scenario.

Example one:

in daily production business of cigarette factories, the cigarette manufacturing machine mainly comprises a cut tobacco manufacturing device, a wrapping device and a power energy source device. The tobacco shred making equipment is used for cutting tobacco leaves into tobacco shreds, and the wrapping equipment is used for wrapping the tobacco shreds into cigarettes, and packaging the cigarettes into boxes, strips and boxes. The power energy equipment is responsible for providing energy required by the water, electricity, gas and steam production process for the wire making and wrapping wire. The stable operation of the wire making equipment, the winding equipment and the power source equipment is a necessary premise for ensuring production, so that a large number of monitoring systems and equipment are needed to monitor the wire making equipment, the winding equipment and the power source equipment, discover problems in time and assist in operation and maintenance ensuring work.

The security access gateway of the cigarette factory constructed by the security access gateway framework of the embodiment of the invention is shown in figure 6. The cigarette factory safety access gateway is composed of an external equipment information management module, a certificate management module, an access control module, an identity authentication module, a bill management module, an API proxy module and the like. The external equipment information management module is used for recording and auditing external equipment information and API interface detailed information which are accessed to the wire manufacturing equipment, the wrapping wire equipment and the power energy equipment, and comprises equipment information input, API input, information auditing and equipment information and API verification sub-modules. The certificate management module is used for receiving the identity request information of the external equipment, applying for a certificate based on a commercial cryptographic algorithm to the CA, and issuing the certificate to the external equipment, and comprises a certificate application, certificate synchronization and certificate list sub-module. The bill management module is used for generating temporary certificates for the external equipment to quickly access the production line equipment of the cigarette factory, namely, an access bill character string is generated by adopting a business secret algorithm, the validity period of the bill is regulated, the security access gateway verifies the validity and the authenticity of the access bill, the identity authentication and the access control efficiency are greatly improved, and the bill management module comprises bill generation, a bill model and a bill verification sub-module. The API agent module is used for forwarding the API of the external equipment to access the production line equipment of the cigarette factory, and plays roles of isolation and safety control, and comprises an API forwarding sub-module, a service monitoring sub-module and a service scheduling sub-module. The access control module includes a ticket validation, API validation sub-module. The identity authentication module includes a certificate verification sub-module. The system management module comprises a user management module, an encryption card module and a log audit sub-module.

As shown in fig. 7, a schematic technical architecture of a security access gateway of a cigarette factory is shown. The safety access gateway of the cigarette factory is divided into a front-end access gateway of equipment and a safety access management subsystem in the technical level.

The device front access gateway is used for authenticating the identity of the access device, encrypting the cloud data and monitoring the data transmission service. The main functions include equipment authentication, authority control, data encryption and service monitoring. The device authentication function is that firstly, an external device applies a digital certificate to a front-end access gateway of the device before accessing an industrial Internet platform of a cigarette factory, after the front-end access gateway of the device verifies the identity of the external device, the digital certificate is requested to a CA, and the CA adopts SM2, SM3 and other national cryptographic algorithms to issue the digital certificate for the external device. Then, the external device carries the digital certificate to request identity authentication from the device pre-access gateway, and the device pre-access gateway can forward the request to the CA for identity authentication. And after the identity authentication is passed, carrying out data transmission work. The authority control refers to controlling the address, API and the like of the equipment side request industrial Internet platform. The data encryption refers to performing encryption and decryption operations on data sent to the industrial internet by the equipment side, wherein the equipment front-end access gateway is deployed in a factory side scene, and after the equipment front-end access gateway performs data encryption, ciphertext is sent to the industrial internet platform. And after the equipment front-end access gateway receives the ciphertext uploaded by the industrial side, executing decryption operation.

And the safety access management subsystem is used for managing the equipment front-end access gateway. The main functions comprise access transmission monitoring, service and policy management, protocol decryption and forwarding, access authentication, docking password infrastructure, and functions of identity authentication, device registration, data encryption and decryption, service pushing and the like for the device front-end access gateway. The service management refers to dividing the communication types between the equipment side and the security front-end access gateway into a plurality of service types such as identity registration, identity authentication, data transmission and the like. Policy management refers to defining service priority, controlling service start and stop, etc. according to service type, number of services. Service monitoring refers to monitoring service execution conditions, optimizing a data communication process according to a management policy, and ensuring that various communication types are completed efficiently.

The main technical indexes of the safety access gateway of the cigarette factory comprise: commercial cryptographic algorithms such as SM2, SM3, SM4 and the like are supported; new connection speed (times/second) >3000; throughput rate (MB/sec) >800Mbps; authentication number per second (TPS) >5000.

Fig. 8 is a schematic diagram of a deployment architecture of a security access gateway in a cigarette factory. In the project, the network architecture of the cigarette factory comprises an access authentication area and a core calculation area, and a firewall is isolated between the two areas. The secure access gateway is deployed in an access authentication zone. 3 sets of external systems are connected into a cigarette factory production line through a security access gateway, wherein the cut tobacco manufacturing line equipment monitors 1 set of systems, and is connected into the cut tobacco manufacturing production equipment of the cigarette factory, and the cut tobacco manufacturing production equipment comprises 20 APIs. The wrapping line equipment monitoring system 1 is connected to wrapping production equipment of a cigarette factory, and comprises 15 APIs. And the power equipment monitoring system 4 is connected with power energy equipment of a cigarette factory and comprises 26 APIs. The secure access gateway performs identity authentication, ticket generation and authentication, access control and certificate synchronization.

Example two:

V2X (Vehicle to Everything, V stands for vehicle and X stands for external unit in communication with vehicle) intelligent networked car is an important link to realize automatic driving of vehicle. In the running scene of the intelligent network-connected automobile, a large number of equipment such as an intelligent street lamp, a mobile phone terminal such as an electronic key and configuration equipment such as a charging pile are required to be accessed into a cloud platform of the intelligent network-connected automobile, and how to ensure the safety and the credibility of a large number of access equipment is an essential foundation for the development of the intelligent network-connected automobile.

An intelligent network-connected automobile security access gateway constructed by the security access gateway architecture of the embodiment of the invention is shown in fig. 9. The intelligent network-connected automobile safety access gateway based on the commercial cryptographic algorithm provides safety access checking capability for an intelligent network-connected automobile cloud platform, and ensures that the identity of the vehicle-mounted system, roadside units, electronic keys APP and charging piles which are accessed to the cloud platform are credible and the access instructions are credible under different application scenes such as low-delay, massive access and high bandwidth.

The intelligent network connection automobile safety access gateway consists of a safety access gateway proxy end and a safety access gateway service end. The safety access gateway proxy terminal is a provider certificate service, bill service, identity authentication service, access control service and API proxy service of external equipment such as vehicle-mounted information, roadside units and the like; the secure access gateway server provides basic information management services (management services such as vehicles, roadside units, APP information and the like) for external equipment, and provides secret certificates, synchronization services and bill management services for the secure access gateway proxy.

Fig. 10 is a schematic diagram of a technical architecture of an intelligent network-connected automobile security access gateway. The intelligent network-connected automobile safety access gateway is accessed to cloud platform business scenes for vehicle-mounted intelligent terminals, roadside units, mobile APP and matched equipment, takes confidentiality, availability and integrity of important data such as personal privacy data, vehicle driving data and the like as main targets, and is based on a PDRR safety model, surrounds a data life cycle, relies on a commercial cryptographic algorithm, and is deep defended and autonomously controllable.

Certificate issuing function of intelligent network-connected automobile safety access gateway. Before external equipment such as a vehicle-mounted intelligent terminal, a roadside unit, a mobile APP and a charging pile communicate with a cloud, identity information is registered to an information management module of a secure access gateway server. After registration is completed, external equipment such as a vehicle-mounted intelligent terminal initiates a certificate application to a proxy end of the security access gateway, the security access gateway verifies the identity, then initiates the certificate application to a CA, and the CA generates an external equipment digital certificate based on a commercial cryptographic algorithm and returns the external equipment digital certificate to the request equipment. The certificate supports data encryption and decryption, signature and summary data generation. The certificate issuing process covers a business-secret certificate synchronizing module of the security access gateway proxy end, an information management module of the security access gateway server end, a business-secret certificate issuing module and a business-secret certificate synchronizing module.

And the intelligent network-connected automobile safety access gateway has an identity authentication function. External equipment such as a vehicle-mounted intelligent terminal, a roadside unit, a mobile APP, a charging pile and the like submits a digital certificate to a security access gateway and requests identity verification. The security access gateway verifies the validity and validity of the certificate. After verification passes, an access ticket is generated for the access ticket. And the access ticket is used as a return value of identity verification and is sent to external equipment such as a vehicle-mounted intelligent terminal, a roadside unit, a mobile APP, a charging pile and the like.

And the intelligent network-connected automobile safety access gateway has an access control function. After the identity authentication of external equipment such as the vehicle-mounted intelligent terminal, the roadside unit, the mobile APP and the charging pile passes, an access bill is obtained, and the effective access bill is communicated with the cloud platform. The external equipment holds an access bill to initiate an access request to the security access gateway; the security access gateway verifies the access ticket, and after verification, the request is forwarded to the cloud platform; the cloud platform executes the API and fills in a return value according to the interface requirement; and the security access gateway returns the return value to external equipment such as the vehicle-mounted intelligent terminal, the roadside unit, the mobile APP, the charging pile and the like, and the communication is ended.

The intelligent network connection automobile safety access gateway comprises the following main technical indexes: commercial cryptographic algorithms such as SM2, SM3, SM4 and the like are supported; support the winning-bid kylin and Galaxy kylin; identity authentication >450 times/second; identity authentication response time <1000ms; new connection speed (times/second) >3000; throughput rate (MB/sec) >800Mbps; authentication number per second (TPS) >5000.

As shown in fig. 11, a schematic diagram of a deployment architecture of an intelligent network-connected automobile security access gateway is provided. In the project, the quantity of external equipment is large, and the equipment comprises configuration equipment such as 2 spare vehicle-mounted ends, 10 spare intelligent street lamps, ETC (electronic toll collection) and other roadside units, 10 spare deployment mobile phone terminals, 8000 spare charging piles and the like. The geographic range is wide, and vehicles run in all administrative areas of the country. Therefore, the secure access gateway is divided into a proxy end and a server end, wherein the proxy end of the secure access gateway adopts an edge deployment mode, and is close to the communication side of external equipment, and the server end is deployed in the cloud end in a centralized manner.

External equipment such as a vehicle-mounted intelligent terminal, a roadside unit, a mobile APP, a charging pile and the like are communicated with an edge side security access gateway proxy end, and the security access gateway proxy end and a server end perform certificate synchronization and bill collaborative work according to a service scene by completing the work such as identity authentication, access control and the like according to the service scene.

The security access gateway of the embodiment of the invention can be applied to various industrial environments, and various adaptation changes are made to the system architecture based on different industrial environments, and the changes are also within the protection scope of the invention.

Referring to fig. 12, the embodiment of the invention further provides an industrial equipment communication management method, which includes:

step 1201: when a certificate application request uploaded by external equipment of an industrial Internet is received, carrying out identity verification on the external equipment, applying a digital certificate for the external equipment when the identity verification of the external equipment passes, and returning the obtained digital certificate to the external equipment;

step 1202: when an access request uploaded by external equipment is received, verifying a digital certificate carried in the access request;

step 1203: when the digital certificate carried in the access request passes the verification, an access bill is generated for the external equipment, and the access bill is returned to the external equipment;

step 1204: when an access request of an application program interface API (application program interface) of an industrial Internet internal device uploaded by an external device is received, verifying an access ticket and API information carried in the access request; and when the access bill and the API information carried in the access request pass verification, sending an API execution request to the accessed industrial Internet internal equipment, and returning an API execution result to the external equipment.

According to the industrial equipment communication management method, the problem of credibility of the identity of external access equipment is solved from the equipment layer access point, when the external equipment is accessed for the first time, the identity validity of the external equipment is checked, an identity digital certificate is issued for the external equipment and a bill is generated, after the external equipment obtains the bill, the bill is used for accessing, the identity authentication and access control efficiency is remarkably improved, the problem of low certificate authentication efficiency is solved, the identity and access API of the accessed external equipment are strictly checked, and the data transmission efficiency is not affected under the condition that the authentication safety is ensured.

when receiving a certificate application request uploaded by an industrial Internet external device, the step of carrying out identity verification on the external device comprises the following steps:

when a certificate application request uploaded by an industrial Internet external device is received, verifying the device information and the API information carried in the certificate application request according to the real device information and the accessible legal API information of the external device which are verified in advance, and determining that the identity verification of the external device passes when the device information and the API information carried in the certificate application request pass, or determining that the identity verification of the external device does not pass.

Preferably, the method further comprises:

and the equipment information input by the external equipment and the accessible API information are stored after verification.

Preferably, when the external device passes the authentication, the step of applying the digital certificate for the external device includes:

when the identity verification of the external equipment passes, a request for applying a digital certificate for the external equipment is sent to a certificate issuing mechanism, so that the certificate issuing mechanism adopts a first preset national commercial cryptographic algorithm to generate the digital certificate for the external equipment, and the digital certificate returned by the certificate issuing mechanism is sent to the external equipment.

Preferably, the method further comprises:

after an access bill is generated for the external equipment, setting the validity period of the access bill;

when an access request of an application program interface API (application program interface) of an industrial Internet internal device, which is uploaded by an external device, is received, the step of verifying an access ticket carried in the access request comprises the following steps:

and when an access request of the API accessing the industrial Internet internal equipment uploaded by the external equipment is received, respectively verifying the authenticity and the validity period of the access ticket carried in the access request.

Preferably, the step of generating an access ticket for the external device includes:

and generating an access ticket for the external equipment by adopting a second preset national commercial cryptographic algorithm.

According to the industrial equipment communication management method, based on a commercial cryptographic algorithm, the mode of combining the national cryptographic certificate and the bill is adopted, the identity of the access equipment and the access API are subjected to strict inspection and fine granularity comparison, so that the identity authentication and access control of the industrial access equipment are realized, and the safety access guarantee capability of an industrial scene is greatly improved. And the external equipment uses the access ticket to access, so that the identity authentication and access control efficiency can be greatly improved, and the problem of low certificate authentication efficiency is solved.

For the method embodiment described above, since it is substantially similar to the secure access gateway embodiment, the relevant points are found in the partial description of the secure access gateway embodiment.

The embodiment of the invention also provides electronic equipment which can be a server. As shown in fig. 13, the device includes a processor 1301, a communication interface 1302, a memory 1303 and a communication bus 1304, where the processor 1301, the communication interface 1302 and the memory 1303 communicate with each other through the communication bus 1304.

A memory 1303 for storing a computer program.

The processor 1301 is configured to execute a program stored in the memory 1303, and implement the following steps:

The communication bus mentioned by the above electronic device may be a peripheral component interconnect standard (Peripheral Component Interconnect, abbreviated as PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, abbreviated as EISA) bus, or the like. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.

The communication interface is used for communication between the electronic device and other devices.

The memory may include random access memory (Random Access Memory, RAM) or non-volatile memory (non-volatile memory), such as at least one disk memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.

The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (Digital Signal Processing, DSP for short), application specific integrated circuits (Application Specific Integrated Circuit, ASIC for short), field-programmable gate arrays (Field-Programmable Gate Array, FPGA for short) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.

In yet another embodiment of the present invention, there is also provided a computer-readable storage medium having instructions stored therein, which when run on a computer, cause the computer to perform the industrial device communication management method described in the above embodiment.

In yet another embodiment of the present invention, there is also provided a computer program product containing instructions that, when run on a computer, cause the computer to perform the industrial equipment communication management method described in the above embodiments.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present invention, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another, for example, by wired (e.g., coaxial cable, optical fiber, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), etc.

It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

In this specification, each embodiment is described in a related manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing description is only of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are included in the protection scope of the present invention.

Claims

1. A secure access gateway, comprising: the system comprises a certificate management module, a certificate application module and a user interface module, wherein the certificate management module is used for verifying equipment information and API information carried in a certificate application request according to real equipment information and accessible legal API information of external equipment which are verified in advance when a certificate application request uploaded by industrial Internet external equipment is received, determining that the external equipment passes the identity verification when the equipment information and the API information carried in the certificate application request pass the verification, applying a digital certificate for the external equipment when the identity verification of the external equipment passes, and returning the obtained digital certificate to the external equipment, wherein the certificate application request carries the equipment information of the external equipment and the API information to be accessed;

2. The secure access gateway of claim 1, wherein the certificate application request carries device information of an external device and API information to be accessed;

3. The secure access gateway of claim 2, further comprising:

4. The secure access gateway of claim 1, wherein the certificate management module is specifically configured to: when the identity verification of the external equipment passes, a request for applying a digital certificate for the external equipment is sent to a certificate issuing mechanism, so that the certificate issuing mechanism adopts a first preset national commercial cryptographic algorithm to generate the digital certificate for the external equipment, and the digital certificate returned by the certificate issuing mechanism is sent to the external equipment.

5. The secure access gateway of claim 4, wherein the first predetermined national commercial cryptographic algorithm is an elliptic curve public key cryptographic algorithm SM2 or a cryptographic hash algorithm SM3.

6. The secure access gateway of claim 1, wherein the ticket management module is further to: after an access bill is generated for the external equipment, setting the validity period of the access bill;

7. The secure access gateway of claim 1, wherein the ticket management module is specifically configured to: and generating an access ticket for the external equipment by adopting a second preset national commercial cryptographic algorithm.

8. The secure access gateway of claim 7, wherein the second predetermined national commercial cryptographic algorithm is a block cryptographic algorithm SM4.

9. The secure access gateway of claim 1, further comprising an API proxy;

the access control module is specifically configured to: when the access bill and the API information carried in the access request pass verification, an API forwarding request is sent to the API proxy module, so that the API proxy module sends an API executing request to the accessed industrial Internet internal equipment, and an API executing result is returned to the external equipment.

10. A method for managing communication of an industrial device, comprising:

When a certificate application request uploaded by external equipment of an industrial Internet is received, verifying equipment information and API information carried in the certificate application request according to real equipment information and accessible legal API information of the external equipment which are verified in advance, determining that the external equipment passes the identity verification when the equipment information and the API information carried in the certificate application request pass the verification, applying a digital certificate for the external equipment when the external equipment passes the identity verification, and returning the obtained digital certificate to the external equipment, wherein the certificate application request carries the equipment information of the external equipment and the API information to be accessed;